A cybercrime gang based in Ukraine is estimated to have made as much as $50 million after tricking Bitcoin investors into handing over the login credentials for their online wallets.

Security researchers at Cisco Talos describe how a massive phishing operation has been co-ordinated from Ukraine, after criminals purchased Google Adwords posing as online ads for the legitimate and popular blockchain.info Bitcoin wallet website.

The report explains that by purchasing the ads, the gang – which has been given the name “Coinhoarder” – were able to plant phishing links at the top of Google search results:

When searching for crypto-related keywords such as “blockchain” or “bitcoin wallet,” the spoofed links would appear at the top of search results. When clicked, the link would redirect to a “lander” page and serve phishing content in the native language of the geographic region of the victim’s IP address.

The reach of these poisoned ads can be seen when analyzing DNS query data. In February 2017, Cisco observed spikes in DNS queries for the fake cryptocurrency websites where upwards of 200,000 queries per hour can be seen during the time window the ad was displayed.

Yes, it’s a very simple trick – but that doesn’t mean that it isn’t also incredibly effective, with researchers estimating that the gang has made approximately $50 million worth of Bitcoin in the past three years.

Working with law enforcement agencies in Ukraine, the researchers were able to identify the Bitcoin wallet addresses of the gang and track their activity. In the last four months of 2017 alone, around $10 million was stolen. In one specific run of just 3.5 weeks the Coinhoarder gang made $2 million.

Fascinatingly, it appears that the criminals were particularly keen to target individuals in African countries and developing nations where banking (Read more...)